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ABSTRACT 

The  Internet  of  Things  (IoT)  is  an  ever-growing  network  of  smart  objects.  It  refers  to  the  physical  objects  are 
capable  of  exchanging  information  with  other  physical  objects.  It  introduces  various  services  and  human’s  routine  life 
depends  on  its  available  and  reliable  activities.  Therefore,  the  challenge  of  implementing  secure  communication  in  the  IoT 
network  must  be  addressed.  The  IoT  network  is  secured  with  encryption  and  authentication,  but  it  cannot  be  protected 
against  cyber-attacks.  Hence,  the  Intrusion  Detection  System  (IDS)  is  needed.  In  this  paper,  we  discuss  some  security 
attacks  and  various  intrusion  detection  approaches  to  mitigate  those  attacks. 
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INTRODUCTION 

Internet  of  Things 

The  Internet  of  Things  (IoT)  is  a smart  network  which  connects  all  things  to  the  internet  for  the  purpose  of 
exchanging  information  with  agreed  protocols  [1],  So,  anyone  can  access  anything,  at  any  time  and  from  anywhere  [2],  In 
IoT  network,  things  or  objects  are  wirelessly  connected  with  smart  tiny  sensors.  IoT  devices  can  interact  with  each  other 
without  human  intervention  [3].  IoT  uses  unique  addressing  schemes  to  interact  with  other  objects/things  and  cooperate 
with  objects  to  create  new  applications  or  services.  IoT  introduces  various  applications  like  smart  homes,  smart  cities, 
health  monitoring,  smart  environment,  and  smart  water  [25].  With  the  development  of  IoT  applications,  there  are  so  many 
issues  raised.  Among  many  other  issues,  security  issue  of  IoT  cannot  be  ignored.  IoT  devices  are  accessed  from  anywhere 
via  entrusted  network  like  the  internet  so  IoT  networks  are  unprotected  against  a wide  range  of  malicious  attacks.  If 
security  issues  are  not  addressed  then  the  confidential  information  may  be  leaked  at  any  time.  Thus,  the  security  problem 
must  be  addressed. 

• Confidentiality:  An  attacker  can  easily  intercept  the  message  passing  from  sender  to  the  receiver  so  that  privacy 
can  be  leaked  and  content  can  be  modified  [19],  So  that  secure  message  passing  is  required  in  IoT. 

• Integrity:  The  message  must  not  be  altered  in  transit;  it  should  be  received  at  receiver  node  same  as  it  is  sent  at 
sender  node.  Integrity  guarantees  that  message  has  not  been  altered  by  unauthorized  persons  while  in  transmission 
[19]. 

• Availability:  Data  or  resources  must  be  available  when  required  [19].  Attackers  can  flood  the  bandwidth  of 
resources  to  damage  the  availability.  Availability  can  be  damage  by  malicious  attacks  like  Denial  of  service 
(DOS)  attack,  flooding  attack,  black  hole  attack,  jamming  attacks  etc. 
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• Authenticity:  Authenticity  involves  proof  of  identity  [20].  Users  should  be  able  to  identify  each  other’s  identity 
with  which  they  are  interacting.  It  can  be  verified  through  authentication  process  so  the  unauthorized  entity  cannot 
participate  in  the  communication  [21]. 

• Non-Repudiation:  Non-repudiation  ensures  that  the  sender  and  receiver  cannot  deny  having  sent  and  received  the 
message  respectively  [22], 

• Data  Freshness:  Data  must  be  recent  whenever  required.  It  guarantees  that  the  no  old  messages  replayed  by  an 
adversary  [23]. 

Intrusion  Detection  System 

Intrusion  Detection  System  (IDS)  is  used  to  monitor  the  malicious  traffic  in  particular  node  and  network.  It  can 
act  as  a second  line  of  defense  which  can  defend  the  network  from  intruders  [26].  Intrusion  is  an  unwanted  or  malicious 
activity  which  is  harmful  to  sensor  nodes.  IDS  can  be  a software  or  hardware  tools.  IDS  can  inspect  and  investigate 
machines  and  user  actions,  detect  signatures  of  well-known  attacks  and  identify  malicious  network  activity.  The  goal  of 
IDS  is  to  observe  the  networks  and  nodes,  detect  various  intrusions  in  the  network,  and  alert  the  users  after  intrusions  had 
been  detected.  The  IDS  works  as  an  alarm  or  network  observer  it  avoids  damage  of  the  systems  by  generating  an  alert 
before  the  attackers  begin  to  attack.  It  can  detect  both  internal  and  external  attacks.  Internal  attacks  are  launched  by 
malicious  or  compromised  nodes  that  belong  to  the  network  whereas  external  attacks  are  launched  by  third  parties  who  are 
initiated  by  outside  network.  IDS  detect  the  network  packets  and  determine  whether  they  are  intruders  or  legitimate  users. 
There  mainly  three  components  of  IDS:  Monitoring,  Analysis  and  detection,  Alarm  [24].  The  monitoring  module  monitors 
the  network  traffics,  patterns  and  resources.  Analysis  and  Detection  is  a core  component  of  IDS  which  detects  the 
intrusions  according  to  specified  algorithm.  Alarm  module  raised  an  alarm  if  intrusion  is  detected  [24], 

Types  of  IDS 

• Signature  Based  IDS:  Signature  based  IDS  matches  the  existing  profile  of  the  network  against  pre -defined  attack 
patterns  or  signatures.  It  is  also  known  as  a rule-based  detection  technique.  Signatures  or  patterns  are  pre -defined, 
stored  in  the  database  and  each  attack  can  be  detected  according  to  patterns  or  signatures.  This  technique  is  simple 
to  use.  This  technique  only  requires  patterns  of  individual  attacks  and  must  also  store  those  patterns  in  some 
database.  This  approach  needs  specific  knowledge  of  the  individual  attack.  It  needs  more  storage  space  with 
increasing  the  number  of  attacks.  Thus,  this  approach  is  very  expensive.  This  technique  cannot  identify  new 
attacks  unless  their  signatures  or  patterns  are  manually  added  into  the  database.  So  it  needs  up-gradation  of 
database  regularly  with  new  signatures  of  attacks  [29].  Thus,  it  is  a static  approach.  This  approach  has  two  main 
disadvantages:  a)  it  needs  the  knowledge  to  form  attack  patterns,  b)  It  cannot  discover  new  and  previously 
unknown  attacks  [4], 

• Anomaly  Based  IDS:  This  technique  is  also  known  as  event-based  detection.  This  technique  identifies  malicious 
activities  by  analyzing  the  event.  Firstly,  it  defines  the  normal  behavior  of  the  network.  Then,  if  any  activity 
differs  from  normal  behavior  then  its  mark  as  an  intrusion  [30]  in  this  approach,  a malicious  node  can  be  detected 
by  matching  the  current  protocol  specification  with  previously  defined  protocol  state.  This  approach  detects 
attacks  more  efficiently  than  Signature  based  IDS.  The  main  concepts  behind  this  kind  of  security  mechanisms  are 
copied  from  statistical  behavior  modeling,  which  identifies  malicious  contents  in  a precise  and  reliable  way  with 
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giving  little  incorrect  positives  rates.  Automated  training  is  generally  used  to  define  a normal  behavior  of  the 
system.  It  is  a very  costly  method  for  resource-  constrained  objects  [4], 

• Specification  Based  IDS:  This  technique  is  somewhat  similar  to  anomaly  detection  technique.  In  this  technique, 
the  normal  behaviour  of  the  network  is  defined  by  manually,  so  it  gives  less  incorrect  positives  rate.  This 
technique  attempts  to  excerpt  best  between  signature-based  and  anomaly  based  detection  approaches  by  trying  to 
clarify  deviations  from  normal  behavioral  patterns  that  are  created  neither  by  the  training  data  nor  by  the  machine 
learning  method.  The  development  of  attack  or  protocol  specification  is  done  by  manually  so  it  takes  more  time. 
So,  this  can  be  a disadvantage  of  this  approach  [4], 

INTERNET  OF  THINGS  ARCHITECTURE 

There  are  three  main  layers  of  IoT  system  architecture  as  shown  in  Figure  1 : Application  (Service)  layer,  Network 
(Transportation)  layer  and  Perception  layer 


Application  or  Service  Layer 


•Logistics  Supply 
•Disaster  Warning 
• Small  Home 


Network  Layer 


•GSM/GPRS/3G 

•ISDN/PSTN 

•Wifi 


Perception  Layer 


•RFID 

• Bluetooth 

• Sensor 

Figure  1:  Internet  of  Things  Architecture  [5] 

The  Perception  Layer 

It  is  the  primary  layer  of  IOT.  This  layer  can  collect  and  observes  all  types  of  information  which  are  used  in  IoT 
environment.  This  information  can  be  captured  by  using  the  sound  sensors,  RFID  sensors,  temperature  sensors,  camera, 
GPS  etc.  [5]  There  are  two  parts  of  perception  layer:  i)  the  perception  node  which  is  used  for  data  control  and  ii)  the 
perception  network  which  is  used  to  sends  data  to  the  controller  [18], 

The  Network  (Transportation)  Layer 

This  layer  also  known  as  transportation  layer.  This  layer  has  transmission  capabilities  to  transfer  data  from  lower 
layer  to  upper  layer  [5],  This  layer  can  also  transmit  the  information  or  data  via  the  internet.  So  this  layer  can  combine 
various  heterogeneous  networks  [18]. 

The  Application  (Service)  Layer 

This  layer  also  known  as  a service  layer  this  layer  converts  information  into  content  and  provides  a good  user 
interface  (UI)  to  a higher  level  or  end  users.  The  main  problem  with  this  layer  is  share  information  with  communities  in  a 
secure  way  so  no  unauthorized  person  can  read  it  [5], 

CYBER  ATTACKS  ON  IOT  APPLICATIONS 

Sensor  networks  are  exposed  to  various  types  of  attacks  both  from  internal  and  external.  Attacks  are  mainly 
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classified  by  two  types  inside  and  outside  attacks.  In  an  outside  attack,  the  attacker  is  not  a part  of  the  network  while  in  an 
inside  attack,  the  attack  can  be  initiated  by  compromised  or  malicious  nodes  that  are  part  of  the  network.  In  the  following, 
we  discuss  some  potential  cyber-attacks  on  IoT  applications. 

• Sinkhole  Attack:  In  this  attack,  malicious  node  at-  tracts  network  traffic  towards  it.  To  launch  these  types  of 
attack,  a malicious  node  attract  all  adjacent  nodes  to  forward  their  packets  through  the  malicious  node  by  showing 
its  routing  cost  minimum.  The  attacker  creates  an  attack  by  introducing  false  node  inside  a network  [6]. 

• Wormhole  Attack:  In  this  attack,  the  adversary  node  creates  a virtual  tunnel  between  two  ends.  An  adversary 
node  acts  as  a forwarding  node  between  two  actual  nodes.  The  two  malicious  nodes  usually  claim  that  they  are 
one  hop  away  from  the  base  station.  The  wormhole  attack  can  also  be  used  to  convince  two  distinct  nodes  that 
they  are  the  neighbors  by  relaying  packets  between  two  of  them  [6],  [7]. 

• Selective  Forwarding  Attack:  In  this  attack,  malicious  node  acts  as  a normal  node  but  it  selectively  drops  some 
packets  [6].  Black  hole  attack  is  the  simplest  form  of  selective  forwarding  attack  in  which  all  packets  are  dropped 
by  the  malicious  node. 

• Sybil  Attack:  In  this  attack,  the  node  has  multiple  identities.  The  routing  protocol,  detection  algorithm  and  co- 
operation processes  can  be  attacked  by  a malicious  node  [6]. 

• Hello  Flood  Attack:  In  a sensor  network,  the  routing  protocol  broadcast  hello  message  to  announce  its  presence  to 
its  neighbors.  A node  which  receives  the  hello  message  may  assume  that  the  source  node  is  within  its 
communication  range  and  add  this  source  node  to  its  neighbor  list  [7]. 

• Denial  of  Service  (DOS)  Attack:  This  attack  can  damage  the  availability  of  resources.  When  this  attack  is  made, 

resources  are  not  available  to  legitimate  users.  Such  type  of  attacks,  when  launched  by  various  malicious  nodes  is 
called  DDoS.  This  attack  may  affect  the  network  resources,  bandwidth,  CPU  time  etc. 

EXISTING  IDS  APPROACHES 

Many  researchers  have  been  working  on  IoT  and  wireless  sensor  areas  to  provide  the  best  security  mechanism.  In 
this  section,  we  described  various  intrusion  detection  systems  which  are  proposed  in  recent  years. 

Rule-Based  Approaches 

Chen  Jun  [8]  proposed  event  processing  based  IDS  to  solve  the  problem  of  real  time  of  IDS  in  IoT  network.  In 
this  approach,  they  designed  the  IDS  architecture  on  the  basis  of  Event  Processing  Model  (EPM).  It  is  rule-based  IDS  in 
which  rules  are  stored  in  Rule  Pattern  Repository  and  takes  SQL  and  EPL  of  Epser  as  a reference.  According  to  obtained 
result,  this  approach  consumed  more  CPU  resources,  consumed  less  memory  and  took  less  processing  time  than  traditional 
IDS. 

Ms.  T.  Eswari  [9]  proposed  a rule-based  intrusion  detection  system  framework  for  wireless  sensor  network.  There 
are  three  main  phases  of  this  approach.  The  first  phase  is  local  auditing  phase  which  validates  the  packets  to  verily  that 
packet  is  arriving  from  a valid  neighboring  node  or  not.  The  second  phase  is  rule  application  phase  which  works  in 
promiscuous  mode.  The  third  phase  is  intrusion  detection  phase  which  detects  routing  attacks  by  validating  data  collected 
from  content  suppression  unit.  This  security  mechanism  can  be  able  to  detect  only  routing  attacks. 
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Anomaly  Based  Approaches 

Abdulaziz  Alsadhan  [10]  proposed  an  optimized  intrusion  detection  system  using  soft  computing  technique.  Hie 
main  objective  of  proposed  security  mechanism  is  to  increase  the  performance  of  the  system  and  identify  each  activity  in  a 
robust  way.  They  proposed  and  implemented  soft  computing  techniques  like  PCA,  LDA,  LBP,  PSO,  Greedy  Search,  SVM 
and  MLP.  In  this  approach,  the  number  of  features  is  reduced  with  the  increasing  of  detection  rates. 

Yousef  EL  Mourabit  [11]  proposed  an  intrusion  detection  system  in  WSN  based  on  mobile  agent.  This  approach 
uses  multi-agent  and  a classification  based  approach  for  detection  of  intrusions.  There  are  three  mobile  agents  are  used  to 
detect  the  intrusions.  The  first  agent  is  collector  agent  which  collects  the  data  from  the  wireless  environment  and  gives 
feedback  to  the  misuse  detection  agent.  The  second  agent  is  misuse  detection  agent  which  detects  the  known  attacks  using 
misuse  detection  technique.  The  third  agent  is  anomaly  detection  agent  which  detects  the  unknown  attacks  by  using  SVM 
classification  algorithm.  The  proposed  system  has  fewer  parameters  to  characterize  the  attacks  so  work  can  be  enhanced  by 
creating  more  complex  detection  parameters  and  using  statistical  anomalies  detection  and  enabling  the  creation  of  attack 
signatures. 

Sandhya  G [12]  proposed  IDS  in  wireless  sensor  network  using  genetic  k-means  algorithm.  In  this  approach,  the 
false  positive  rate  is  reduced  and  high  detection  rate  is  achieved.  This  algorithm  is  more  suit-  able  for  dynamic  topologies. 
It  acts  as  intelligent  IDS  that  can  analyze  generated  intrusion  alerts  and  it  also  can  detect  new  attacks  without  any 
pre-defined  patterns  or  signatures. 

Hierarchical  Energy  Efficient  Based  Approaches 

Samir  Athmani  [13]  proposed  a hierarchical  energy  efficient  IDS  to  detect  black  hole  attacks  in  WSN  which  is 
implemented  in  NS2  network  simulator.  In  this  approach,  sensor  node  and  base  station  are  ex-  changing  control  packets 
with  each  other.  Each  control  packet  contains  the  node  id  and  number  of  packets  sent  to  the  cluster  head.  The  base  station 
is  working  on  monitor  mode  to  detect  black  hole  attacks.  This  approach  also  consumes  the  less  energy  for  intrusion 
detection.  They  don’t  give  a guarantee  that  proposed  approach  can  detect  all  black  hole  attacks,  but  it  can  reduce  the 
impact  of  attacks. 

A.  Babu  Karuppiah  [14]  proposed  an  energy  efficient  IDS  to  detect  Sybil  node  in  WSN.  Hie  proposed  system 
defines  two  cases.  In  the  first  case,  centralized  approach  is  implemented  to  send  and  acknowledge  the  query  of  data 
packets.  Cluster  head  maintains  a table  which  is  used  to  store  identities  and  positions  of  all  nodes.  In  the  second  case,  all 
legitimate  nodes  reply  to  the  cluster  head  with  their  identities  and  current  position  coordinates.  Sybil  node  also  sends  their 
identities  and  current  position  so  cluster  head  matches  those  data  in  a table  with  legitimate  nodes  data.  Sybil  node  is 
detected  if  any  conflict  rose.  Simulation  result  shows  that  proposed  system  improves  the  energy  efficiency  and  it  detects 
the  Sybil  node  accurately. 

Distributed  Detection  Based  Approach 

N.  Dharini  [15]  proposed  a distributed  detection  approach  to  detect  flooding  and  gray  whole  attacks  in  WSN 
which  is  implemented  in  NS2  simulator  with  MANNASIM  framework.  In  this  approach,  abnormality  of  the  nodes 
behaviour  observed  by  a light  weight  energy  prediction  algorithm.  In  this  system  cluster  head  is  responsible  for  energy 
prediction  for  all  nodes  in  the  cluster.  The  attack  can  be  detected  by  abnormalities  between  predicted  and  actual  energy. 
Detection  accuracy  is  achieved  by  obtaining  high  prediction  accuracy.  According  to  the  result,  we  can  say  that  this 
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mechanism  is  energy  saving  mechanism.  This  approach  can  only  detect  gray  whole  and  flooding  attacks. 

Cluster-Based  Approach 

Christian  Cervantes  [16]  proposed  IDS  to  detect  sinkhole  attacks  for  IoT  called  as  INTI  which  is  implemented  in 
Cooja  simulator.  The  proposed  system  defines  four  modules.  The  first  module  is  Cluster  con-  figure  ration  module  which  is 
responsible  for  classifying  a node  like  members,  leaders  and  associated  according  to  their  network  functions.  The  second 
one  is  monitoring  of  routing  module  in  which  observer  node  monitors  the  number  of  transmissions  is  performed.  The  third 
one  is  attacker  detection  module  which  detects  the  sinkhole  attacking  node.  The  fourth  module  is  the  isolation  of  attacker 
module  which  isolates  the  malicious  node  from  the  cluster  and  it  also  raised  an  alarm  to  inform  its  neighboring  nodes.  The 
simulation  result  shows  that  92%  detection  rate  is  achieved.  This  approach  only  detects  sinkhole  attacks  so  work  can  be 
enhanced  by  detection  of  other  types  of  attacks. 

Hybrid  Approach 

Shahid  Raza  [17]  proposed  a real-time  intrusion  detection  system  in  IoT  called  as  SVELTE.  SVELTE  is  only  IDS 
available  in  IoT  which  is  implemented  in  Contiki  OS.  In  this  approach,  there  are  three  main  centralized  elements  which  are 
placed  in  6L0WPAN  Border  Router.  The  first  element  is  6L0WPAN  Mapped  which  collects  information  about  the  RPL 
protocol  and  rebuild  the  networks  in  6BR.  The  second  element  is  intrusion  detection  element  which  detects  the  intrusion  by 
analyzing  the  mapped  data.  The  third  element  is  a distributed  mini  firewall  which  filters  the  malicious  traffic  before  it 
reaches  to  the  network.  This  approach  can  only  detect  spoofing  attacks  inside  the  network,  sinkhole  and  selective 
forwarding  attacks. 

CONCLUSIONS 

In  this  paper,  we  made  an  attempt  to  provide  a survey  on  the  intrusion  detection  system  for  the  internet  of  things. 
With  the  development  of  IoT,  there  are  so  many  issues  raised.  Among  many  other  issues,  security  issues  cannot  be  ignored. 
Here  we  discussed  some  potential  security  attacks  which  are  made  on  IoT  applications  and  various  intrusion  detection 
approaches  which  are  available  to  mitigate  those  attacks.  Still  those  approaches  cannot  be  able  to  detect  all  types  of 
cyber-attacks  and  are  not  feasible  for  IoT  network  because  it  requires  more  processing  power,  memory  and  bandwidth  for 
intrusion  detection.  Thus,  future  research  in  this  direction  would  be  to  develop  lightweight  security  mechanism  which  will 
take  fewer  resources  for  intrusion  detection. 
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